The right to personal information security in Vietnam

Updated: 11:49’ - 19/08/2015

Dinh Thi Lan Anh, LL.M
Faculty of Law, People’s Security Academy

The need for security is a basic need of humans

Article 3 of the Universal Declaration of Human Rights adopted in 1948 by the United Nations General Assembly states: “Everyone has the right to life, liberty and security of person.” Understood in a broad sense, personal security covers many aspects of people in social life. When entering the social life, every person must have certain information for identification and, therefore, the need for personal information security is also part of the right to privacy and an aspect of human rights.

Recent years have seen the popularity of the Internet and various forms of communication that has greatly affected all aspects of human life. Information and communications technologies, including mobile technologies connected with the Internet and other information systems, have enabled people to collect, store and access information in nearly every corner of the world. These technologies have brought about numerous economic and social benefits for individuals, businesses, states and the entire society, allowing us to access, collect and use huge amounts of information, but have not yet backed the identification of participants in these activities. As a result, it is difficult to manage personal data and concern is growing over damages that may occur when personal data are misused.

Due to the recent occurrence of a series of personal information security incidents, the society has paid greater attention to the confidentiality of personal information and the need for personal information security has become imperative. Personal information has been regarded as an asset of everyone. For many, personal information is even more valuable than many tangible assets. If a person’s personal information is stolen and distorted, his privacy and lawful rights and interests will be seriously affected. In reality, the security of personal information faces many risks. In less serious cases, stolen personal information is sold to market research firms and product and service traders for building databases of potential customers. In more serious ones, hackers steal credit card numbers and money of credit card holders to pay for online purchases, or steal Internet banking account information. The consequences of the loss of personal information may range from trivial problems to deletion of important databases, privacy infringement or even breakdown of whole systems.

According to the Ministry of Industry and Trade’s 2014 e-commerce report, 42% of Vietnamese online shoppers are worried about their personal information security, which is ranked fourth among online shoppers’ troubles. Particularly, personal information security has become more complicated due to increasing numbers of trans-boundary transactions, which cause difficulties to enforcement agencies in tracing and investigating information to serve the settlement of complaints.

In Vietnam, the right to inviolability of privacy, personal secrets and family secrets is guaranteed and protected under Article 21 of the 2013 Constitution. It is also recognized as an important civil right in Article 38 of the 2005 Civil Code.
Specific provisions on personal information and personal information security can be found in various legal documents.

Personal information is understood as information that helps identify a specific person, including name, age, home address, phone number, medical information, bank account number, information about personal payment transactions and other information that a person wants to keep secret. According to Clause 13, Article 3 of Government Decree No. 52/2013/ND-CP on e-commerce, personal information excludes work contact information and information published by individuals themselves in the mass media. Information that a person wants to keep secret is defined in Decree No. 183/2013/ND-CP on administrative sanctions against acts of producing and trading in fake and banned goods, as follows:

“Personal secrets of consumers means information pertaining to consumers to which consumers or related organizations or other individuals have applied security measures and which, if disclosed or used without their consent, will cause negative effects on the health, lives, property or other physical or mental damages of consumers.” (Clause 12, Article 3)

To ensure the right to personal information security, the 2005 Law on E-Transactions stipulates that agencies, organizations and individuals may not use, provide or disclose information on private and personal affairs or information of others that they have accessed or taken control in e-transactions without permission, unless otherwise prescribed by law (Clause 2, Article 46).

Article 6 of the 2010 Law on Protection of Consumers’ Rights also states:

“Consumers shall have their information kept secure and confidential when they participate in transactions and use goods or services, except where competent state agencies require the information.”

Specific regulations have also been put in place to ensure personal information security, such as Articles 21 and 22 of the 2006 Law on Information Technology, and Articles 68 thru 73 of Decree No. 52/2013/ND-CP on e-commerce.

Accordingly, organizations and individuals that collect and use personal information of consumers must obtain their prior consent and must use such information for the purposes and within the scope as agreed. Information collectors shall fulfill their obligations as required by law, including ensuring safety and security for collected and stored personal information and preventing the illegal access to, use, modification and destruction of such information.
Stealing, using, disclosing, transferring and selling personal information of consumers without their prior consent are regarded as violations of the law on protection of personal information.

Violators will be fined or criminally punished in accordance with law. According to Decree No. 185/2013/ND-CP, a fine of up to VND 20 million will be levied on violations of the law on protection of consumers’ personal information, while a fine of between VND 5 million and VND 30 million will be imposed on violations of the law on protection of personal information in e-commerce activities. Those who steal, use, disclose, transfer and sell information relating to trade secrets of traders and other organizations, or personal information of consumers will pay a fine of VND 30-40 million.

Regarding criminal charges, Article 27 of Law No. 37/2009/QH12 amending a number of articles of the Penal Code, stipulates that those that trade in, exchange, donate, modify or publish lawful private information of other agencies, organizations and individuals on computer networks, telecommuni­cations networks and Internet without permission of owners of such information will face imprisonment for up to three years.

At present, Vietnamese lawmakers are working hard on the Law on Information Security, which contains many specific regulations on protection of personal information on the Internet. Articles 28 thru 32 of the draft Law regulate principles of protection of personal information on the Internet, the collection, use, updating, modification and deletion of personal information, and duties of state management agencies in this field. Concerning protection of personal information security, the draft Law has an important provision that individuals must be responsible for protecting their personal information and following regulations on provision of personal information when using online services.

The latest draft of the revised Civil Code also introduces fresh provisions on the right to personal secrets, which say that the collection, use and publishing of information and materials relating to privacy and personal secrets are subject to prior consent of the person concerned, except such is decided by a competent state agency. Security and confidentiality of correspondence, phone calls, telex and other forms of electronic files of individuals are guaranteed.

In practice, no advanced technologies may completely protect information security. Given the fast development and popularization of the Internet and other means of communication as well as the complicated situation of security and safety of the online environment and personal information, the creation of a legal corridor for information security protection is quite necessary to uphold fundamental civil rights enshrined in the 2013 Constitution.-